Even if session life time is proposed by server.. if client has a configuration local configuration shouldn't we pick the minimum of what server is configuring and what client is configured with?.
If we don't have this option in openssl should we have this change.. any one interested to work along with me?.
-thanks
harish
On Tue, Jan 26, 2021 at 11:43 PM Harish Kulkarni <harishvk27@xxxxxxxxx> wrote:
Thank you both for bringing this to my attention, your points are invaluable.If this is something which gets set from server on client side. can client override this?. Can i change this to something less and try?. Has anyone tried?.Whats the option in openssl.conf or some other place?.-thanksharishOn Mon, Jan 25, 2021 at 11:08 PM Matt Caswell <matt@xxxxxxxxxxx> wrote:
On 23/01/2021 15:22, John Thoe wrote:
> Hi list,
>
> The session reuse question posted on the mailing list earlier
> (https://mta.openssl.org/pipermail/openssl-users/2021-January/013360.html)
> reminded of a somewhat similar question I have.
>
> As per the docs,
> https://www.openssl.org/docs/man1.0.2/man3/SSL_get_default_timeout.html,
> it says the default value is 300 seconds for which a session resuse
> will be accepted. The docs say that it is the same for all
> protocols.
>
> However I tried it with my setup where I didn't explicitly set the
> timeout and I am getting 7200 seconds as the default value. s_client
> output: TLS session ticket lifetime hint: 7200 (seconds). My client
> openssl.conf has no setting override (not that it should matter
> because this is a server preference). No OpenSSL settings on the
> server have been modified as well.
Looks to me like the docs are wrong. They probably should say 7200.
>
> In ssl/ssl_sess.c#L80, the code matches the document: ss->timeout =
> 60 * 5 + 4; /* 5 minute timeout by default */ ... (with additional
> four seconds?)
This gets set during construction and then later overwritten when we
actually get a new session via "ssl_get_new_session":
/* If the context has a default timeout, use it */
if (s->session_ctx->session_timeout == 0)
ss->timeout = SSL_get_default_timeout(s);
else
ss->timeout = s->session_ctx->session_timeout;
In most cases SSL_get_default_timeout() calls tls1_default_timeout() (it
can end up somewhere different for certain protocol versions - but all
the different variants are the same!):
long tls1_default_timeout(void)
{
/*
* 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
* http, the cache would over fill
*/
return (60 * 60 * 2);
}
60 * 60 * 2 = 7200
Matt